E. M. Recio wrote: > Has anyone figured out a RegEx for culling SMTP Auth messages from the > sendmail logs. Basically, I am getting these SMTP Auth messages trying > all these different usernames. They do this for hours on end trying > everything from a to z. I typically don't find out until logwatch lets > me know.
No regex, sendmail's log doesn't show IP or user for this kind of attacks, so DennyHosts wouldn't be able to use that log... at least that is what I see in Solaris, is it different elsewhere? What I use is milter_error, which basically counts the errors and when a threshold is reached blocks the connection for a specified period. It doesn't use tcp-wrappers support. Since authentication is done by sasl (saslauthd) the log that shows the IPs is a different one, perhaps it could be tweaked to work with DennyHosts. I haven't tried, also have never seen attacks go for hours, the authentication tries are very short bursts. -- René Berber ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
